October 09, 2013 Articles

Glitches Within the CFAA's "Exceeds Authorized Access" Language

Defendants facing charges under the Computer Fraud and Abuse Act are affected by differing interpretations of a specific provision.

By Aaron M. Danzig and Matthew A. S. Esworthy

In 1986, Congress passed the Computer Fraud and Abuse Act (CFAA) as a means to address the growing problem of computer crime and, specifically, individuals engaged in computer intrusion and hacking. 18 U.S.C. § 1030. Among other things, the CFAA criminalizes accessing protected computers without authorization and also prohibits individuals who have authorized access to protected computers from exceeding the scope of their authorization. 18 U.S.C. § 1030(a). A protected computer includes those exclusively used by financial institutions and the government and those used in interstate commerce or communication. 18 U.S.C. § 1030(e)(2). Criminal penalties can reach up to 10 years’ imprisonment for a first offense. 18 U.S.C. § 1030(c). Additionally, after an amendment created a civil cause of action under the CFAA, 18 U.S.C. § 1030(g), employers have increasingly utilized the statute in civil suits against former employees accused of a range of improprieties committed on computers during employment, including former employees who accessed company computers to gain information for use in competing with their former employers.

The meaning of “exceeds authorized access” has come under increased scrutiny in the courts recently, with differing outcomes. Some courts have held that the violation of an employer’s computer-use policy could lead to a criminal violation under the CFAA, while other courts have rejected that view as too expansive.

Premium Content For:
  • Litigation Section
Join - Now